It can be said that the paradigm shift brought about by the new General Data Protection Regulation (GDPR) marked the beginning of a new era in the interpretation of data protection and privacy in the digital world, but the first year of transition has been primarily about learning.
In order to comply with data protection rules, organizations have first had to find out what data they own and what exactly they do with it. The more innovative organizations have realized that through this they create new value in the organization, as proper data management and a holistic picture provide the opportunity to make decisions and manage processes much more efficiently. Organized and analyzed data provide the impetus for growth and innovation.
It can also be said that the GDPR has become a data protection standard, as several countries outside the European Union have already implemented or are in the process of developing regulations that reflect the principles of the GDPR. For example, Brazil, China, India, Japan, South Korea, and the state of California have been active.
In the digital age without borders, this trend to achieve a common global understanding of privacy is very welcomed.
In addition, the GDPR has significantly increased the need for data protection and privacy experts, with half a million data protection professionals already appointed in the European Union. The issue concerns not only technology people or lawyers but also marketers, teachers, government officials, secretaries – in fact, it can be said that today it is difficult to find a profession where you should not be familiar with data protection and information security rules.
However, change occurs in the business culture and must start at the management level. The moment when the concern about data protection leaves the IT room – is the moment change begins. Ideally, the protection of customer privacy could be at the starting point for all business processes – this is also supported by the so-called privacy by design obligation provided for in the GDPR.
In terms of numbers, more than 200,000 cases have been dealt within the European Economic Area during the year, most of which were complaints from individuals and a smaller number of data breach reports.
In total, fines of almost € 56 million have been imposed on 91 companies, of which € 50 million is a fine imposed on Google by the French Data Protection Authority. It cannot be said whether these numbers are large or small, but it can be said that time has been given to lay the groundwork.
A year later, we have established ourselves and seen the big picture – what is left now is to wait for more instructions, new court decisions including fines, which would help clarify the gray areas of the regulation. The entry into force of the ePrivacy Regulation, which regulates the protection of personal data in the field of electronic communications and creates new rules for the use of cookies, is also not far away.
While regulation in this area is certainly essential, it would be ideal if a widespread understanding would develop that the principles and obligations of the GDPR are not just a burden. More broadly behind it lies the key to cultural change, which would ensure security in the digital world, greater trust with the customer, and the means to innovate.
